|
Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) is an algorithm from the branch of cryptography known as elliptic curve cryptography that implements a cryptographically secure pseudorandom number generator (CSPRNG) capable of generating a random bit stream. The algorithm is based on the mathematics of the elliptic curve discrete logarithm problem (ECDLP). Despite public criticism, it was for some time one of the four (now three) CSPRNGs standardized in NIST SP 800-90A as originally published circa March 2007. Weaknesses in the cryptographic security of the algorithm were known and publicly criticised well before the algorithm became part of a formal standard endorsed by the ANSI, ISO, and formerly by the National Institute of Standards and Technology (NIST). One of the weaknesses publicly identified was the potential of the algorithm to harbour a backdoor advantageous to the algorithm's designers—the United States government's National Security Agency (NSA)—and no-one else. In 2013, the New York Times reported that documents in their possession but never released to the public "appear to confirm" that the backdoor was real, and had been deliberately inserted by the NSA as part of the NSA's Bullrun decryption program. In December 2013, a Reuters news article alleged that in 2004, before NIST standardized Dual_EC_DRBG, NSA paid RSA Security $10 million in a secret deal to use Dual_EC_DRBG as the default in the RSA BSAFE cryptography library, which resulted in RSA Security becoming the most important distributor of the insecure algorithm.〔 RSA responded that they "categorically deny" that they had ever knowingly colluded with the NSA to adopt an algorithm that was known to be flawed, saying "we have never kept () relationship (the NSA ) a secret".〔 Sometime before its first known publication in 2004, a possible backdoor was discovered with the Dual_EC_DRBG's design, with the design of Dual_EC_DRBG having the unusual property that it was theoretically impossible for anyone but Dual_EC_DRBG's designers (NSA) to confirm the backdoor's existence. Bruce Schneier concluded shortly after standardization that the "rather obvious" backdoor (along with other deficiencies) would mean that nobody would use Dual_EC_DRBG.〔 The backdoor would allow NSA to decrypt for example SSL/TLS encryption which used Dual_EC_DRBG as a CSPRNG.〔 Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it,〔 but did not take sufficient steps to unconditionally disable the backdoor or to widely publicize it. The general cryptographic community was initially not aware of the potential backdoor, until Dan Shumow and Niels Ferguson's publication, or of Certicom's Daniel R. L. Brown and Scott Vanstone's 2005 patent application describing the backdoor mechanism. In September 2013, ''The New York Times'' reported that internal NSA memos leaked by Edward Snowden indicated that the NSA had worked during the standardization process to eventually become the sole editor of the Dual_EC_DRBG standard,〔(【引用サイトリンク】title=Revealed: how US and UK spy agencies defeat internet privacy and security )〕 and concluded that the Dual_EC_DRBG standard did indeed contain a backdoor for the NSA. As response, NIST stated that "NIST would not deliberately weaken a cryptographic standard."〔(Cryptographic Standards Statement ) ''NIST'' 10 September 2013〕 According to the New York Times story, the NSA spends $250 million per year to insert backdoors in software and hardware as part of the Bullrun program. A Presidential advisory committee subsequently set up to examine NSA's conduct recommended among other things that the US government "fully support and not undermine efforts to create encryption standards".〔 In April 21, 2014, NIST withdrew Dual_EC_DRBG from its draft guidance on random number generators recommending "current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible." ==Timeline== 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Dual EC DRBG」の詳細全文を読む スポンサード リンク
|